CN109413062A - Fictitious host computer is by the monitor processing method of malicious attack and system, node server - Google Patents
Fictitious host computer is by the monitor processing method of malicious attack and system, node server Download PDFInfo
- Publication number
- CN109413062A CN109413062A CN201811232473.9A CN201811232473A CN109413062A CN 109413062 A CN109413062 A CN 109413062A CN 201811232473 A CN201811232473 A CN 201811232473A CN 109413062 A CN109413062 A CN 109413062A
- Authority
- CN
- China
- Prior art keywords
- host computer
- fictitious host
- data packet
- bandwidth
- actual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45504—Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
- H04L41/0659—Management of faults, events, alarms or notifications using network fault recovery by isolating or reconfiguring faulty entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
- H04L43/0894—Packet rate
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Environmental & Geological Engineering (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of fictitious host computers by the monitor processing method of malicious attack and system, node server, is related to Internet technical field, this method comprises: grab in real time it is all enter direction IP data packet and parse;When reaching default detection interval time, according to the IP data packet after each parsing, the actual data packet size of each fictitious host computer in prefixed time interval is obtained;According to the actual data packet size of each fictitious host computer, the actual bandwidth of each fictitious host computer is calculated;Judge whether the actual bandwidth of each fictitious host computer is greater than its corresponding bandwidth upper limit respectively;When being greater than its corresponding bandwidth upper limit there are the actual bandwidth of fictitious host computer, the network of the fictitious host computer is disconnected.Each fictitious host computer of the invention is realized that a node server monitoring is broken down by the monitoring of malicious attack by corresponding node server oneself, does not interfere with other node servers in distributed system.
Description
Technical field
The present invention relates to Internet technical fields more particularly to a kind of fictitious host computer by the monitor processing method of malicious attack
And system, node server.
Background technique
With the development of internet technology, distributed publicly-owned cloud cluster physical server (hereinafter referred node server) quilt
It is widely used, when in use, multiple public cloud Cloud Servers (hereinafter referred fictitious host computer) is deployed on each node server.
Aiming at the problem that fictitious host computer is by malicious attack, existing settling mode is generally in IDC (Internet Data
Center, Internet data center) the core keys position such as network egress of computer room places all sections of special equipment unified monitoring
Each fictitious host computer on point server by manual amendment's configuration of routers or pulls out line mode and solves to be attacked after finding the problem
The problem of.
This mode has the following problems:
1, special equipment is easy to happen Single Point of Faliure, if breaking down, will affect all fictitious host computers in distributed system
Monitoring.
2, due to being centralized processing, processing capacity cannot with the node server administered/fictitious host computer quantity or
The increase of network egress bandwidth and linear increase.
3, manpower intervention is needed to handle when encountering attack, it is difficult to accomplish to automate, often will cause certain loss, such as take
Business interruption etc..
Summary of the invention
The object of the present invention is to provide a kind of fictitious host computers by the monitor processing method of malicious attack and system, node serve
Device will not influence fictitious host computer all in distributed system even if there is Single Point of Faliure.
Technical solution provided by the invention is as follows:
A kind of fictitious host computer is applied to each node serve in distributed system by the monitor processing method of malicious attack
Device is deployed at least one fictitious host computer on each node server, this method comprises: grab in real time it is all enter direction IP number
According to wrapping and parse;When reaching default detection interval time, according to the IP data packet after each parsing, obtain in prefixed time interval
The actual data packet size of each fictitious host computer;According to the actual data packet size of each fictitious host computer, the reality of each fictitious host computer is calculated
Border bandwidth;Judge whether the actual bandwidth of each fictitious host computer is greater than its corresponding bandwidth upper limit respectively;When there are fictitious host computers
Actual bandwidth be greater than its corresponding bandwidth upper limit when, disconnect the network of the fictitious host computer.
In the above-mentioned technical solutions, each fictitious host computer by each node server itself monitor thereon a, even if node
Server breaks down, and the monitoring on other node servers is unaffected;And it can be with the linear increasing of node server
It grows and increases;It is handled when encountering attack without manpower intervention, network, fast response time can be disconnected automatically.
Further, it is described enter direction IP data packet refer to: what the equipment in addition to local node server sended over
IP data packet.
In the above-mentioned technical solutions, the IP data packet that each fictitious host computer on local node server is mutually sent out will not be carried out
Concern, is concerned only with the IP data packet into direction, reduces the quantity of monitoring, reduces unnecessary performance and occupies.
Further, the IP data packet after every parsing includes: data packet after purpose IP address and parsing;Described works as
When reaching default detection interval time, according to the IP data packet after each parsing, each fictitious host computer in prefixed time interval is obtained
Actual data packet size specifically: respectively by data packet after the parsing, summarize corresponding virtual to each the destination IP address
In data the package list of host;When reaching default detection interval time, from data the package list of each fictitious host computer, statistics is pre-
If the actual data packet size of each fictitious host computer in time interval.
In the above-mentioned technical solutions, the actual data packet size for periodically obtaining each fictitious host computer facilitates calculating practical
Bandwidth guarantees the real-time of result.
Further, the actual data packet size according to each fictitious host computer, calculates the actual bandwidth of each fictitious host computer
Specifically: the actual data packet size of each fictitious host computer is obtained into the reality of each fictitious host computer divided by prefixed time interval respectively
Bandwidth.
In the above-mentioned technical solutions, the calculation of actual bandwidth is defined.
Further, further includes: receive the configuration information that management background server is sent, the configuration information includes: each void
The bandwidth upper limit of quasi- host.
In the above-mentioned technical solutions, the band of each fictitious host computer on each node server is distributed unitedly by management backstage server
The wide upper limit reduces the trouble that engineer is arranged one by one, improves usage experience.
The present invention also provides a kind of node server, it is deployed at least one fictitious host computer on the node server, wraps
Include: crawl parsing module, for grab in real time it is all enter direction IP data packet and parse;Acquiring size module is reached for working as
When to default detection interval time, according to the IP data packet after each parsing, the reality of each fictitious host computer in prefixed time interval is obtained
Border data package size;Bandwidth calculation module calculates each fictitious host computer for the actual data packet size according to each fictitious host computer
Actual bandwidth;Bandwidth judgment module, for judging whether the actual bandwidth of each fictitious host computer is greater than its corresponding bandwidth respectively
Limit;Network disconnects module, for when being greater than its corresponding bandwidth upper limit there are the actual bandwidth of fictitious host computer, described in disconnection
The network of fictitious host computer.
In the above-mentioned technical solutions, each fictitious host computer by each node server itself monitor thereon a, even if node
Server breaks down, and the monitoring on other node servers is unaffected;And it can be with the linear increasing of node server
It grows and increases;It is handled when encountering attack without manpower intervention, network, fast response time can be disconnected automatically.
Further, the IP data packet after every parsing includes: data packet after purpose IP address and parsing;Acquiring size
Module, for according to the IP data packet after each parsing, obtaining each in prefixed time interval when reaching default detection interval time
The actual data packet size of fictitious host computer specifically includes: collects submodule, for respectively by data packet after the parsing, summarize to
In data the package list of the corresponding fictitious host computer in each the destination IP address;Statistic submodule, between reaching default detection
When the time, from data the package list of each fictitious host computer, the actual data packet of each fictitious host computer in prefixed time interval is counted
Size.
Further, the bandwidth calculation module calculates each virtual for the actual data packet size according to each fictitious host computer
The actual bandwidth of host specifically: the bandwidth calculation module, for the actual data packet size of each fictitious host computer to be removed respectively
With prefixed time interval, the actual bandwidth of each fictitious host computer is obtained.
Further, further includes: information receiving module, the configuration information sent for receiving management background server are described
Configuration information includes: the bandwidth upper limit of each fictitious host computer.
The present invention also provides a kind of fictitious host computers by the monitoring system of malicious attack, comprising: a management backstage server and
Multiple any of the above-described node servers.
Compared with prior art, fictitious host computer of the invention is taken by the monitor processing method of malicious attack and system, node
Business device beneficial effect is:
Each fictitious host computer of the invention is by the monitoring of malicious attack by corresponding node server oneself realization, a node
Server monitoring breaks down, and does not interfere with other node servers in distributed system;And monitoring programme operate in it is each
On node server, when increasing new node server in distributed system, can linear dilatation, management backstage will not be taken
The performance of business device has excessive requirement.
Detailed description of the invention
Below by clearly understandable mode, preferred embodiment is described with reference to the drawings, to a kind of fictitious host computer by malice
The monitor processing method and system of attack, above-mentioned characteristic, technical characteristic, advantage and its implementation of node server give into
One step explanation.
Fig. 1 is fictitious host computer of the present invention by the flow chart of monitor processing method one embodiment of malicious attack;
Fig. 2 is fictitious host computer of the present invention by the flow chart of another embodiment of the monitor processing method of malicious attack;
Fig. 3 is the structural schematic diagram of node server one embodiment of the present invention;
Fig. 4 is the structural schematic diagram of another embodiment of node server of the present invention;
Fig. 5 is fictitious host computer of the present invention by the structural schematic diagram of monitoring system one embodiment of malicious attack.
Drawing reference numeral explanation:
10. grabbing parsing module, 20. acquiring size modules, 21. collects submodules, 22. statistic submodules, 30. bandwidth meters
Calculation module, 40. bandwidth judgment modules, 50. networks disconnection module, 60. information receiving modules, 100. management backstage servers,
200. node server.
Specific embodiment
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, Detailed description of the invention will be compareed below
A specific embodiment of the invention.It should be evident that drawings in the following description are only some embodiments of the invention, for
For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other
Attached drawing, and obtain other embodiments.
To make simplified form, part related to the present invention is only schematically shown in each figure, they are not represented
Its practical structures as product.In addition, there is identical structure or function in some figures so that simplified form is easy to understand
Component only symbolically depicts one of those, or has only marked one of those.Herein, "one" is not only indicated
" only this ", can also indicate the situation of " more than one ".
Fig. 1 shows one embodiment of the present of invention, and a kind of fictitious host computer is by the monitor processing method of malicious attack, application
Each node server in distributed system is deployed at least one fictitious host computer, this method packet on each node server
It includes:
S101 node server (on local target network interface card, according to the network interface card of actual use determine) grab in real time it is all enter
The IP data packet in direction simultaneously parses.
Specifically, the IP data packet for entering direction refers to: equipment in addition to local node server (such as: other nodes
Server, mobile terminal etc.) the IP data packet that sends over.
After every IP data packet is resolved, obtaining purpose IP address, (i.e. it is virtual main which this data Bao Xiang is sent to
Machine) and parsing after data packet.
S102 node server, according to the IP data packet after each parsing, obtains pre- when reaching default detection interval time
If the actual data packet size of each fictitious host computer in time interval.
Specifically, node server can periodically detect the actual bandwidth situation of each fictitious host computer, it, can if discovery goes wrong
It takes timely measure, prevents malicious external attack.
Default detection interval time and prefixed time interval are arranged according to actual needs, such as: with 1 minute for preset time
Interval, 10:01:00,10:02:00,10:03:00 ... they are exactly default detection interval time, when to 10:02:00, node clothes
It is engaged in the actual data packet size of each fictitious host computer that device obtains in 10:01:01-10:02:00 this 1 minute.
S103 node server calculates the practical band of each fictitious host computer according to the actual data packet size of each fictitious host computer
It is wide.
S104 node server judges whether the actual bandwidth of each fictitious host computer is greater than its corresponding bandwidth upper limit respectively.
Specifically, every primary default detection interval time, will calculate the current actual bandwidth of each fictitious host computer, guarantee
The real-time of data.
Each fictitious host computer has been set individually the different bandwidth upper limits according to its function, and the bandwidth upper limit of setting guarantees each void
The bandwidth that quasi- host uses under normal circumstances can not surmount, and if more than the bandwidth upper limit, then illustrate by malicious attack.
For S105 when being greater than its corresponding bandwidth upper limit there are the actual bandwidth of fictitious host computer, node server disconnects institute
State the network of fictitious host computer.Actual bandwidth is not more than the fictitious host computer of the bandwidth upper limit, then allows its normal communication.
Such as: such as following table one, there is 5 fictitious host computers (A-E) on a node server, actual bandwidth be respectively 40M,
20M, 25M, 30M, 50M, corresponding bandwidth upper limit are 50M, 50M, 50M, 50M, 40M, are found by comparing, fictitious host computer
The actual bandwidth of E is greater than its corresponding bandwidth upper limit, and node server disconnects the network of fictitious host computer E, abandons the phase received
IP data packet is answered, causes the IP address network of fictitious host computer E unreachable, stops malicious external attack, to keep this node
The normal operation of other fictitious host computers on server.
Table one
Fictitious host computer | Actual bandwidth | The bandwidth upper limit |
A | 40M | 50M |
B | 20M | 50M |
C | 25M | 50M |
D | 30M | 50M |
E | 50M | 40M |
In distributed system, each node server is connect with a management backstage server communication respectively, each node serve
Device can receive the configuration information of management backstage server transmission, and configuration information includes: the bandwidth upper limit of each fictitious host computer.
The bandwidth upper limit of each fictitious host computer on each node server is uniformly arranged in management backstage server by engineer, by
Management backstage server is sent respectively to corresponding node server, realizes unified management, simple, convenient.
Each fictitious host computer is realized by the monitoring of malicious attack by corresponding node server oneself in the present embodiment, a section
Point server monitoring is broken down, other node servers in distributed system are not interfered with;And monitoring programme operates in respectively
On a node server, when increasing new node server in distributed system, can linear dilatation, will not be to management backstage
The performance of server has excessive requirement.
Improvement based on the above embodiment, part same as described above are not repeated to describe, and Fig. 2 shows of the invention another
A embodiment, comprising:
S201 (on local target network interface card) grab in real time it is all enter direction IP data packet and parse;Enter the IP number in direction
Refer to according to packet: the IP data packet that the equipment in addition to local node server sends over;IP data after every parsing
Packet includes: data packet after purpose IP address and parsing.
S202, according to the IP data packet after each parsing, obtains prefixed time interval when reaching default detection interval time
The actual data packet size of interior each fictitious host computer specifically:
S212 summarizes respectively by data packet after the parsing to the data of the corresponding fictitious host computer in each the destination IP address
In the package list;
S222 is when reaching default detection interval time, from data the package list of each fictitious host computer, counts preset time
The actual data packet size of each fictitious host computer in being spaced.
Specifically, the IP data packet for entering direction is real-time acquisition, parsing, and it is aggregated into the corresponding virtual master of purpose IP address
Machine under one's name, when reaching default detection interval time, can count the real data of each fictitious host computer within a preset time interval
Packet size facilitates and calculates its actual bandwidth.
Such as: the IP data packet for entering direction has been grabbed, data packet 1KB and destination IP after a parsing are obtained after parsing
Data packet after the parsing of this 1KB is aggregated into the corresponding fictitious host computer of 218.82.95.213 1 by address 218.82.95.213
Under.
Assuming that fictitious host computer 1 have within a preset time interval 4 parsing after data packet, respectively 1.5KB, 1KB, 1.2KB,
1.1KB obtains the actual data packet of (prefixed time interval) fictitious host computer 1 in 30 seconds when reaching default detection interval time
Size is 1.5+1+1.2+1.1=4.8KB.
The actual data packet acquiring size mode of each fictitious host computer is identical, is not described in detail herein.
S203 calculates the actual bandwidth of each fictitious host computer according to the actual data packet size of each fictitious host computer specifically:
S213 obtains the practical band of each fictitious host computer respectively by the actual data packet size of each fictitious host computer divided by prefixed time interval
It is wide.
Specifically, the unit of actual bandwidth is M/S, therefore, need when calculating by the unit conversion of prefixed time interval
For the second.
Such as: prefixed time interval is 1 minute, the actual data packet size of fictitious host computer 2 is 90M, then fictitious host computer 2
Actual bandwidth is 90/60=1.5M/S.The calculating of other fictitious host computers is identical, and details are not described herein.
S204 judges whether the actual bandwidth of each fictitious host computer is greater than its corresponding bandwidth upper limit respectively;
S205 disconnects the fictitious host computer when being greater than its corresponding bandwidth upper limit there are the actual bandwidth of fictitious host computer
Network.
Optionally, further includes: receive the configuration information that management background server is sent, the configuration information includes: each void
The bandwidth upper limit of quasi- host.
Data packet after the parsing of each fictitious host computer is grabbed, summarized on the node server of the present embodiment in real time, periodically
Bandwidth judgement is carried out, whether is effectively realized to each fictitious host computer by the monitoring of malicious attack, if there is situation, is taken arrange in time
It applies, protects on this node server not by the normal operation of the fictitious host computer of malicious attack.
Fig. 3 shows the embodiment of a node server of the invention, and it is virtual to be deployed at least one on node server
Host, comprising:
Parsing module 10 is grabbed, for (in local target network interface card, determining according to the network interface card of actual use) crawl in real time
It is all enter direction IP data packet and parse.
Specifically, the IP data packet for entering direction refers to: equipment in addition to local node server (such as: other nodes
Server, mobile terminal etc.) the IP data packet that sends over.
After every IP data packet is resolved, obtaining purpose IP address, (i.e. it is virtual main which this data Bao Xiang is sent to
Machine) and parsing after data packet.
Acquiring size module 20, for according to the IP data packet after each parsing, obtaining when reaching default detection interval time
Take the actual data packet size of each fictitious host computer in prefixed time interval.
Specifically, node server can periodically detect the actual bandwidth situation of each fictitious host computer, it, can if discovery goes wrong
It takes timely measure, prevents malicious external attack.
Default detection interval time and prefixed time interval are arranged according to actual needs, such as: with 1 minute for preset time
Interval, 10:01:00,10:02:00,10:03:00 ... they are exactly default detection interval time, when to 10:02:00, node clothes
It is engaged in the actual data packet size of each fictitious host computer that device obtains in 10:01:01-10:02:00 this 1 minute.
Bandwidth calculation module 30 calculates the reality of each fictitious host computer for the actual data packet size according to each fictitious host computer
Border bandwidth.
Bandwidth judgment module 40, for judging whether the actual bandwidth of each fictitious host computer is greater than its corresponding bandwidth respectively
Limit.
Specifically, every primary default detection interval time, will calculate the current actual bandwidth of each fictitious host computer, guarantee
The real-time of data.
Each fictitious host computer has been set individually the different bandwidth upper limits according to its function, and the bandwidth upper limit of setting guarantees each void
The bandwidth that quasi- host uses under normal circumstances can not surmount, and if more than the bandwidth upper limit, then illustrate by malicious attack.
Network disconnect module 50, for when there are the actual bandwidth of fictitious host computer be greater than its corresponding bandwidth upper limit when,
Disconnect the network of the fictitious host computer.Actual bandwidth is not more than the fictitious host computer of the bandwidth upper limit, then allows its normal communication.
Specific example refers to corresponding embodiment of the method, and therefore not to repeat here.
In distributed system, each node server is connect with a management backstage server communication respectively, each node serve
The information receiving module of device can receive the configuration information of management backstage server transmission, and configuration information includes: each fictitious host computer
The bandwidth upper limit.
The bandwidth upper limit of each fictitious host computer on each node server is uniformly arranged in management backstage server by engineer, by
Management backstage server is sent respectively to corresponding node server, realizes unified management, simple, convenient.
Each fictitious host computer is realized by the monitoring of malicious attack by corresponding node server oneself in the present embodiment, a section
Point server monitoring is broken down, other node devices in distributed system are not interfered with;And monitoring programme operate in it is each
On node server, when increasing new node server in distributed system, can linear dilatation, management backstage will not be taken
The performance of business device has excessive requirement.
Based on the improvement of above-mentioned node server embodiment, part same as described above is not repeated to describe, and Fig. 4 is shown
The embodiment of another node server of the invention, comprising:
Grab parsing module 10, for grabbed in real time (in local target network interface card) it is all enter direction IP data packet and solve
Analysis;The IP data packet for entering direction refers to: the IP data packet that the equipment in addition to local node server sends over;Described in every
IP data packet after parsing includes: data packet after purpose IP address and parsing.
Acquiring size module 20, for according to the IP data packet after each parsing, obtaining when reaching default detection interval time
The actual data packet size of each fictitious host computer in prefixed time interval is taken to specifically include:
Collects submodule 21, for summarizing corresponding to each the destination IP address respectively by data packet after the parsing
In data the package list of fictitious host computer;
Statistic submodule 22, for when reaching default detection interval time, from data the package list of each fictitious host computer,
Count the actual data packet size of each fictitious host computer in prefixed time interval.
Specifically, the IP data packet for entering direction is real-time acquisition, parsing, and it is aggregated into the corresponding virtual master of purpose IP address
Machine under one's name, when reaching default detection interval time, can count the real data of each fictitious host computer within a preset time interval
Packet size facilitates and calculates its actual bandwidth.
Such as: the IP data packet for entering direction has been grabbed, data packet 1KB and destination IP after a parsing are obtained after parsing
Data packet after the parsing of this 1KB is aggregated into the corresponding fictitious host computer of 218.82.95.213 1 by address 218.82.95.213
Under.
Assuming that fictitious host computer 1 have within a preset time interval 4 parsing after data packet, respectively 1.5KB, 1KB, 1.2KB,
1.1KB obtains the actual data packet of (prefixed time interval) fictitious host computer 1 in 30 seconds when reaching default detection interval time
Size is 1.5+1+1.2+1.1=4.8KB.
The actual data packet acquiring size mode of each fictitious host computer is identical, is not described in detail herein.
Bandwidth calculation module 30 calculates the reality of each fictitious host computer for the actual data packet size according to each fictitious host computer
Border bandwidth specifically: bandwidth calculation module 30, for respectively by the actual data packet size of each fictitious host computer divided by preset time
Interval, obtains the actual bandwidth of each fictitious host computer.
Specifically, the unit of actual bandwidth is M/S, therefore, need when calculating by the unit conversion of prefixed time interval
For the second.
Such as: prefixed time interval is 1 minute, the actual data packet size of fictitious host computer 2 is 90M, then fictitious host computer 2
Actual bandwidth is 90/60=1.5M/S.The calculating of other fictitious host computers is identical, and details are not described herein.
Bandwidth judgment module 40, for judging whether the actual bandwidth of each fictitious host computer is greater than its corresponding bandwidth respectively
Limit;
Network disconnect module 50, for when there are the actual bandwidth of fictitious host computer be greater than its corresponding bandwidth upper limit when,
Disconnect the network of the fictitious host computer.
Information receiving module 60, the configuration information sent for receiving management background server, the configuration information include:
The bandwidth upper limit of each fictitious host computer.
Data packet after the parsing of each fictitious host computer is grabbed, summarized on the node server of the present embodiment in real time, periodically
Bandwidth judgement is carried out, whether is effectively realized to each fictitious host computer by the monitoring of malicious attack, if there is situation, is taken arrange in time
It applies, protects on this node server not by the normal operation of the fictitious host computer of malicious attack.
Fig. 5 shows the monitoring system one embodiment of fictitious host computer of the invention by malicious attack, comprising: a management
Background server 100 and multiple node servers 200 as described in above-mentioned node server any embodiment.
The corresponding bandwidth upper limit of fictitious host computer on each node server is sent to each node and taken by management backstage server
Business device, facilitates each node server voluntarily to realize the monitoring to each fictitious host computer malicious attack.Engineer can be according to each virtual
The different business of host process distributes the different bandwidth upper limits.
The bandwidth upper limit of the fictitious host computer of each node server is uniformly configured in the present embodiment by management backstage server, side
Just engineer realizes unified management, easy to use, quick.
It should be noted that above-described embodiment can be freely combined as needed.The above is only of the invention preferred
Embodiment, it is noted that for those skilled in the art, in the premise for not departing from the principle of the invention
Under, several improvements and modifications can also be made, these modifications and embellishments should also be considered as the scope of protection of the present invention.
Claims (10)
1. a kind of fictitious host computer is by the monitor processing method of malicious attack, which is characterized in that be applied to each in distributed system
Node server is deployed at least one fictitious host computer on each node server, this method comprises:
Grab in real time it is all enter direction IP data packet and parse;
When reaching default detection interval time, according to the IP data packet after each parsing, obtain each virtual in prefixed time interval
The actual data packet size of host;
According to the actual data packet size of each fictitious host computer, the actual bandwidth of each fictitious host computer is calculated;
Judge whether the actual bandwidth of each fictitious host computer is greater than its corresponding bandwidth upper limit respectively;
When being greater than its corresponding bandwidth upper limit there are the actual bandwidth of fictitious host computer, the network of the fictitious host computer is disconnected.
2. fictitious host computer as described in claim 1 is by the monitor processing method of malicious attack, which is characterized in that it is described enter direction
IP data packet refer to: the IP data packet that the equipment in addition to local node server sends over.
3. fictitious host computer as described in claim 1 is by the monitor processing method of malicious attack, it is characterised in that:
IP data packet after every parsing includes: data packet after purpose IP address and parsing;
It is described when reaching default detection interval time, according to the IP data packet after each parsing, obtain in prefixed time interval
The actual data packet size of each fictitious host computer specifically:
Respectively by data packet after the parsing, summarize to data the package list of the corresponding fictitious host computer in each the destination IP address
In;
When reaching default detection interval time, from data the package list of each fictitious host computer, count each in prefixed time interval
The actual data packet size of fictitious host computer.
4. fictitious host computer as described in claim 1 is by the monitor processing method of malicious attack, which is characterized in that the basis
The actual data packet size of each fictitious host computer, calculates the actual bandwidth of each fictitious host computer specifically:
The actual data packet size of each fictitious host computer is obtained into the practical band of each fictitious host computer divided by prefixed time interval respectively
It is wide.
5. the fictitious host computer as described in claim 1-4 is any is by the monitor processing method of malicious attack, which is characterized in that also wrap
It includes:
The configuration information that management background server is sent is received, the configuration information includes: the bandwidth upper limit of each fictitious host computer.
6. a kind of node server, which is characterized in that be deployed at least one fictitious host computer on the node server, comprising:
Grab parsing module, for grab in real time it is all enter direction IP data packet and parse;
Acquiring size module, for according to the IP data packet after each parsing, obtaining default when reaching default detection interval time
The actual data packet size of each fictitious host computer in time interval;
Bandwidth calculation module calculates the actual bandwidth of each fictitious host computer for the actual data packet size according to each fictitious host computer;
Bandwidth judgment module, for judging whether the actual bandwidth of each fictitious host computer is greater than its corresponding bandwidth upper limit respectively;
Network disconnects module, for disconnecting institute when being greater than its corresponding bandwidth upper limit there are the actual bandwidth of fictitious host computer
State the network of fictitious host computer.
7. node server as claimed in claim 6, which is characterized in that the IP data packet after every parsing includes: mesh
IP address and parsing after data packet;
Acquiring size module, for according to the IP data packet after each parsing, obtaining default when reaching default detection interval time
The actual data packet size of each fictitious host computer specifically includes in time interval:
Collects submodule, for summarizing virtual master corresponding to each the destination IP address respectively by data packet after the parsing
In data the package list of machine;
Statistic submodule, for when reaching default detection interval time, from data the package list of each fictitious host computer, statistics to be pre-
If the actual data packet size of each fictitious host computer in time interval.
8. node server as claimed in claim 6, which is characterized in that the bandwidth calculation module, for according to each virtual
The actual data packet size of host, calculates the actual bandwidth of each fictitious host computer specifically:
The bandwidth calculation module, for obtaining respectively by the actual data packet size of each fictitious host computer divided by prefixed time interval
To the actual bandwidth of each fictitious host computer.
9. such as node server as claimed in claim 6 to 8, which is characterized in that further include:
Information receiving module, the configuration information sent for receiving management background server, the configuration information include: each virtual
The bandwidth upper limit of host.
10. a kind of fictitious host computer is by the monitoring system of malicious attack characterized by comprising a management backstage server and more
Any node server of a claim 6-9.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811232473.9A CN109413062A (en) | 2018-10-22 | 2018-10-22 | Fictitious host computer is by the monitor processing method of malicious attack and system, node server |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811232473.9A CN109413062A (en) | 2018-10-22 | 2018-10-22 | Fictitious host computer is by the monitor processing method of malicious attack and system, node server |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109413062A true CN109413062A (en) | 2019-03-01 |
Family
ID=65468241
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811232473.9A Pending CN109413062A (en) | 2018-10-22 | 2018-10-22 | Fictitious host computer is by the monitor processing method of malicious attack and system, node server |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109413062A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210133067A1 (en) * | 2019-11-04 | 2021-05-06 | Mastercard International Incorporated | Monitoring in distributed computing system |
US11997190B2 (en) | 2019-06-05 | 2024-05-28 | Mastercard International Incorporated | Credential management in distributed computing system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102043917A (en) * | 2010-12-07 | 2011-05-04 | 成都市华为赛门铁克科技有限公司 | Distributed denial of service (DDOS) attack protection method, device and system for cloud computing system |
CN102902599A (en) * | 2012-09-17 | 2013-01-30 | 华为技术有限公司 | Virtual machine internal fault processing method, device and system |
CN104063267A (en) * | 2014-07-11 | 2014-09-24 | 孙强强 | Method and system for monitoring flow of virtual machine |
US8935692B2 (en) * | 2008-05-22 | 2015-01-13 | Red Hat, Inc. | Self-management of virtual machines in cloud-based networks |
CN107666383A (en) * | 2016-07-29 | 2018-02-06 | 阿里巴巴集团控股有限公司 | Message processing method and device based on HTTPS agreements |
-
2018
- 2018-10-22 CN CN201811232473.9A patent/CN109413062A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8935692B2 (en) * | 2008-05-22 | 2015-01-13 | Red Hat, Inc. | Self-management of virtual machines in cloud-based networks |
CN102043917A (en) * | 2010-12-07 | 2011-05-04 | 成都市华为赛门铁克科技有限公司 | Distributed denial of service (DDOS) attack protection method, device and system for cloud computing system |
CN102902599A (en) * | 2012-09-17 | 2013-01-30 | 华为技术有限公司 | Virtual machine internal fault processing method, device and system |
CN104063267A (en) * | 2014-07-11 | 2014-09-24 | 孙强强 | Method and system for monitoring flow of virtual machine |
CN107666383A (en) * | 2016-07-29 | 2018-02-06 | 阿里巴巴集团控股有限公司 | Message processing method and device based on HTTPS agreements |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11997190B2 (en) | 2019-06-05 | 2024-05-28 | Mastercard International Incorporated | Credential management in distributed computing system |
US20210133067A1 (en) * | 2019-11-04 | 2021-05-06 | Mastercard International Incorporated | Monitoring in distributed computing system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN1194316C (en) | Remote network monitor method for computer network | |
CN101582807B (en) | Method and system based on northbound interface to realize network management | |
CN102308522B (en) | Method, device and system for locating network fault | |
CN102420699B (en) | Equipment number distribution method of digital radio frequency remote system and system thereof | |
CN103236949A (en) | Monitoring method, device and system for server cluster | |
CN103716173A (en) | Storage monitoring system and monitoring alarm issuing method | |
CN101409654B (en) | Method for processing SNMP information in network management system | |
JP2008271545A (en) | Optical fiber network system and managing method thereof | |
CN105790990A (en) | Method and system for monitoring and managing power distribution and utilization communication business | |
CN102263651A (en) | Method for detecting connection state of local end equipment in SNMP (simple network management protocol) network management system (NMS) | |
CN103795575A (en) | Multi-data-centre-oriented system monitoring method | |
CN101355521B (en) | Control method for equalizing load, communication apparatus and communication system | |
CN109413062A (en) | Fictitious host computer is by the monitor processing method of malicious attack and system, node server | |
CN104301244A (en) | Cluster communication system and method of large-scale power distribution network system | |
CN107070744A (en) | Server monitoring method | |
CN106972975A (en) | A kind of server management method and system | |
CN201985898U (en) | Communication service load balancing system | |
CN106685962B (en) | Defense system and method for reflective DDOS attack flow | |
CN102082677B (en) | Alarm information processing method, device and system | |
CN102404160B (en) | Method and system for realizing intelligent monitoring | |
KR20200007912A (en) | Methods, devices, and systems for monitoring data traffic | |
CN106506072A (en) | A kind of collecting method and device | |
CN105592485A (en) | Method for collecting and processing messages in real time based on SNMP | |
CN110677303A (en) | Network management system | |
CN101753266A (en) | Network topology search and error control optimization method of coaxially-loading Ethernet equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190301 |
|
RJ01 | Rejection of invention patent application after publication |